Commit b42202b8 authored by Manuel Schölling's avatar Manuel Schölling
Browse files

Change SslVerifyMode to bitflags and add SSL_VERIFY_FAIL_IF_NO_PEER_CERT 

SslVerifyMode was changed to bitflags to allow for bitwise operations
like (SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT).
parent 46066878

openssl-sys/src/lib.rs

+1 −0
Original line number Diff line number Diff line
@@ -143,6 +143,7 @@ pub const SSL_ERROR_WANT_X509_LOOKUP: c_int = 4; 
pub const SSL_ERROR_ZERO_RETURN: c_int = 6;

pub const SSL_VERIFY_NONE: c_int = 0;

pub const SSL_VERIFY_PEER: c_int = 1;

pub const SSL_VERIFY_FAIL_IF_NO_PEER_CERT: c_int = 2;



pub const TLSEXT_NAMETYPE_host_name: c_long = 0;

openssl/src/ssl/mod.rs

+12 −9
Original line number Diff line number Diff line
@@ -115,13 +115,16 @@ impl SslMethod { 
}



/// Determines the type of certificate verification used

#[derive(Copy, Clone, Debug)]

#[repr(i32)]

pub enum SslVerifyMode {

bitflags! {

    flags SslVerifyMode: i32 {

        /// Verify that the server's certificate is trusted

    SslVerifyPeer = ffi::SSL_VERIFY_PEER,

        const SSL_VERIFY_PEER = ffi::SSL_VERIFY_PEER,

        /// Do not verify the server's certificate

    SslVerifyNone = ffi::SSL_VERIFY_NONE

        const SSL_VERIFY_NONE = ffi::SSL_VERIFY_NONE,

        /// Terminate handshake if client did not return a certificate.

        /// Use together with SSL_VERIFY_PEER.

        const SSL_VERIFY_FAIL_IF_NO_PEER_CERT = ffi::SSL_VERIFY_FAIL_IF_NO_PEER_CERT,

    }

}



lazy_static! {
@@ -346,7 +349,7 @@ impl SslContext { 
                                     mem::transmute(verify));

            let f: extern fn(c_int, *mut ffi::X509_STORE_CTX) -> c_int =

                                raw_verify;

            ffi::SSL_CTX_set_verify(self.ctx, mode as c_int, Some(f));

            ffi::SSL_CTX_set_verify(*self.ctx, mode.bits as c_int, Some(f));

        }

    }
@@ -366,7 +369,7 @@ impl SslContext { 
                                     mem::transmute(data));

            let f: extern fn(c_int, *mut ffi::X509_STORE_CTX) -> c_int =

                                raw_verify_with_data::<T>;

            ffi::SSL_CTX_set_verify(self.ctx, mode as c_int, Some(f));

            ffi::SSL_CTX_set_verify(*self.ctx, mode.bits as c_int, Some(f));

        }

    }

openssl/src/ssl/tests.rs

+12 −11
Original line number Diff line number Diff line
@@ -12,10 +12,11 @@ use crypto::hash::Type::{SHA256}; 
use ssl;

use ssl::SslMethod::Sslv23;

use ssl::{SslContext, SslStream, VerifyCallback};

use ssl::SslVerifyMode::SslVerifyPeer;

use ssl::SSL_VERIFY_PEER;

use x509::X509StoreContext;

#[cfg(feature = "npn")]

use x509::X509FileType;

use x509::{X509StoreContext};



#[test]

fn test_new_ctx() {
@@ -32,7 +33,7 @@ fn test_new_sslstream() { 
fn test_verify_untrusted() {

    let stream = TcpStream::connect("127.0.0.1:15418").unwrap();

    let mut ctx = SslContext::new(Sslv23).unwrap();

    ctx.set_verify(SslVerifyPeer, None);

    ctx.set_verify(SSL_VERIFY_PEER, None);

    match SslStream::new(&ctx, stream) {

        Ok(_) => panic!("expected failure"),

        Err(err) => println!("error {:?}", err)
@@ -43,7 +44,7 @@ fn test_verify_untrusted() { 
fn test_verify_trusted() {

    let stream = TcpStream::connect("127.0.0.1:15418").unwrap();

    let mut ctx = SslContext::new(Sslv23).unwrap();

    ctx.set_verify(SslVerifyPeer, None);

    ctx.set_verify(SSL_VERIFY_PEER, None);

    match ctx.set_CA_file(&Path::new("test/cert.pem")) {

        None => {}

        Some(err) => panic!("Unexpected error {:?}", err)
@@ -61,7 +62,7 @@ fn test_verify_untrusted_callback_override_ok() { 
    }

    let stream = TcpStream::connect("127.0.0.1:15418").unwrap();

    let mut ctx = SslContext::new(Sslv23).unwrap();

    ctx.set_verify(SslVerifyPeer, Some(callback as VerifyCallback));

    ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback));

    match SslStream::new(&ctx, stream) {

        Ok(_) => (),

        Err(err) => panic!("Expected success, got {:?}", err)
@@ -75,7 +76,7 @@ fn test_verify_untrusted_callback_override_bad() { 
    }

    let stream = TcpStream::connect("127.0.0.1:15418").unwrap();

    let mut ctx = SslContext::new(Sslv23).unwrap();

    ctx.set_verify(SslVerifyPeer, Some(callback as VerifyCallback));

    ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback));

    assert!(SslStream::new(&ctx, stream).is_err());

}
@@ -86,7 +87,7 @@ fn test_verify_trusted_callback_override_ok() { 
    }

    let stream = TcpStream::connect("127.0.0.1:15418").unwrap();

    let mut ctx = SslContext::new(Sslv23).unwrap();

    ctx.set_verify(SslVerifyPeer, Some(callback as VerifyCallback));

    ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback));

    match ctx.set_CA_file(&Path::new("test/cert.pem")) {

        None => {}

        Some(err) => panic!("Unexpected error {:?}", err)
@@ -104,7 +105,7 @@ fn test_verify_trusted_callback_override_bad() { 
    }

    let stream = TcpStream::connect("127.0.0.1:15418").unwrap();

    let mut ctx = SslContext::new(Sslv23).unwrap();

    ctx.set_verify(SslVerifyPeer, Some(callback as VerifyCallback));

    ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback));

    match ctx.set_CA_file(&Path::new("test/cert.pem")) {

        None => {}

        Some(err) => panic!("Unexpected error {:?}", err)
@@ -120,7 +121,7 @@ fn test_verify_callback_load_certs() { 
    }

    let stream = TcpStream::connect("127.0.0.1:15418").unwrap();

    let mut ctx = SslContext::new(Sslv23).unwrap();

    ctx.set_verify(SslVerifyPeer, Some(callback as VerifyCallback));

    ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback));

    assert!(SslStream::new(&ctx, stream).is_ok());

}
@@ -132,7 +133,7 @@ fn test_verify_trusted_get_error_ok() { 
    }

    let stream = TcpStream::connect("127.0.0.1:15418").unwrap();

    let mut ctx = SslContext::new(Sslv23).unwrap();

    ctx.set_verify(SslVerifyPeer, Some(callback as VerifyCallback));

    ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback));

    match ctx.set_CA_file(&Path::new("test/cert.pem")) {

        None => {}

        Some(err) => panic!("Unexpected error {:?}", err)
@@ -148,7 +149,7 @@ fn test_verify_trusted_get_error_err() { 
    }

    let stream = TcpStream::connect("127.0.0.1:15418").unwrap();

    let mut ctx = SslContext::new(Sslv23).unwrap();

    ctx.set_verify(SslVerifyPeer, Some(callback as VerifyCallback));

    ctx.set_verify(SSL_VERIFY_PEER, Some(callback as VerifyCallback));

    assert!(SslStream::new(&ctx, stream).is_err());

}
@@ -173,7 +174,7 @@ fn test_verify_callback_data() { 
    // Please update if "test/cert.pem" will ever change

    let node_hash_str = "46e3f1a6d17a41ce70d0c66ef51cee2ab4ba67cac8940e23f10c1f944b49fb5c";

    let node_id = node_hash_str.from_hex().unwrap();

    ctx.set_verify_with_data(SslVerifyPeer, callback, node_id);

    ctx.set_verify_with_data(SSL_VERIFY_PEER, callback, node_id);

    ctx.set_verify_depth(1);



    match SslStream::new(&ctx, stream) {